Local Privilege

With the help of an article (https://diablohorn.com/2010/01/16/interesting-local-file-inclusion-method/), I was able to find a PHP local file inclusion. I was then able to curl the page information and base64 decode it.

From upload.php I learn that only users that are logged in are authorized to upload. So I login to mysql using the credentials from config.php and dump the users table. They are base64 encoded, so I decode those as well.

I then upload the shell.gif into the uploader, and get the id of the file by browsing to the directory (http://192.168.56.103/upload/). Then I browse to index.php and tamper with the lang cookie using a proxy to invoke my malicious gif.

Now that I am mike, I move to the mike directory. where I find another SUID binary, but this time it is for root. I run strings to understand what it is doing. I come to learn that it is doing a basic string substitution that is a perfect basic command execution.

I find that advanced-video-embed-embed-videos-or-playlists - v1.0 has a local file inclusion vulnerability on Exploit-db. This can be found at: https://www.exploit-db.com/exploits/39646/. I am able to download the exploit and modify it for SSL using the following code.

With this vulnerability, I was able to download both wp-config.php and /etc/passwd. After executing the file, I browsed to: https://192.168.56.102:12380/blogblog/wp-content/uploads/ to see the random id assigned to my file. If you attempt to view this in the browser it will fail because it cannot render a configuration as a jpeg. I pulled down the text with curl.

I am then able to FTP login as Elly and pull down all the sensitive files. The most useful file to pull down is /etc/passwd and use it to ssh bruteforce. Using this, I am able to obtain a a local shell as SHayslett.

Privilege Escalation 2: SUID

Once I have a local shell, I can search for potential vulnerabilities using the Linux Priv Checker. This can be found at: http://www.securitysift.com/download/linuxprivchecker.py. Using this script, I am able to find a world writable cron job.

I am then able to change the world writable cron to my own suid setter file that I will make. I then create and compile that suid program. Once the cron is run, I will have a nice file to execute to get root.

Privilege Escalation 3: Kernel Exploit

Next, I find online the Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) at https://www.exploit-db.com/exploits/39772/. I download the exploit, untar the file, compile, and execute the exploit.

Saturday, January 30, 2016

After about four months of studying on and off, I passed the
CISSP certification exam. This test contains content that is one-inch deep and a mile wide. You are given six
hours to complete an extremely long 250-question exam. Although the test is long and questions are wordy, it is very fair with only a few tricky questions.

Study Materials

The most important resource I used was the Cybrary.it videos and best of
all it’s FREE. Kelly Handerhan KNOWS her stuff. She will cover all the content areas with the correct depth of information. Also, she will help you to know all the most important areas to focus on to pass
the exam.

The next few of resources I used were: the All-in-one
CISSP Study Guide by Shon Harris, CISSP
Practice Exams- Shon Harris, and McGraw-Hill
Practice Tests. For your information, Shon Harris wrote all of these
resources. The all-in-one book goes into a HUGE amount of unnecessary depth on all
the topics. I read it cover-to-cover and took all the tests. However, you might
be able get away with focusing on all the definitions. As for all of practice
tests, they were all more technical but just as wordy as the actual exam.Using these test questions, I was able to
practice deciphering wordy questions and my testing strategy given in the TIPS section of this blog post.

Lastly, I used 11th
hour CISSP study Guide - Eric Conrad for my final review. This book does a great job describing the application of concepts. However, I would not recommend only
using this book because the depth may be too shallow to be successful on the
exam. It really helps with tying together things you already know.

Exam

The test took me a little over 4 of the 6 hours. One of the
most important things I learned in my study was that not all domain areas are
created equal. If I had to rank the groups by prevalence it would be:

1. Information Security & Risk

2. Business Continuity

2. Access Control

4. Telecommunications

4. Software Dev

6. Crypto

7. Security Architecture

8. Legal

9. Physical

10. Operations

Note: There are significantly more of the top 5 domains than
the remaining ones.

Tips

Set a test date at a reasonable distance away and work to that date.
Without the exam cost hanging over your head, it is likely you won’t ever feel
“ready”.

Focus on the high level topics and their
application like a manager would. Do not focus in the nitty-gritty technical things or in-depth standard memorization. In this exam, you are there to point out problems and not to fix them.

Nine times out of ten if answer has more bureaucracy, it will be the correct one.

Don't get psyched out if questions are hard or weird. Those may just be beta questions that won't count against your score.

Due to the wordiness of the questions, it is
better to eliminate incorrect answers than to find the correct one. In most
questions, you can eliminate two incorrect answers, giving you now a 50/50
chance. Statistically, if you change 1000 possible answers to 500 in 250 questions,
even if you guess, you will be guessing close to 75%. This tool totally worked
for me!

TAKE CARE OF YOUR BODY! It will be much more
important to get a good night’s sleep the night before, than to cram more
information into your head. This is a LONG test that if you need to have endurance to pass. Make sure you are well-fed with light nutritious meals
so you won’t be sleepy.

Thursday, September 24, 2015

After about two and half months of dedicating the majority of my time to the certification, I successfully became an OSCP. I have read many different blogs that gave great advice but I thought I would add my spin on it as well.

This certification is very time intensive. However, I feel it is the most worth-while certification for an entry level Penetration Tester, and will give you some credibility within the community. Throughout the certification, your primary focus will be exploiting and escalating privilege on vulnerable hosts.

Preparation

In preparation, I spent some time working on some vulnerable hosts on Vulnhub. In this site, people develop vulnerable machines very much like the ones you will see on the OSCP. You download and host the vulnerable machine on your computer and attack it. This is great practice for those who are unsure if the OSCP is for them.

If you can complete these, even with a little help of the walkthroughs, you should be at the right skill level for the OSCP.

Also, I developed a script much like Mike at Security Sift to help automate the enumeration process. Since I have a developer background, this was relatively easy and painless. It was really time effective to have my enumeration process be completely automated. However, this is not essential.

Course

I recommend going through all the exercises. If you do not, you may not have all the tools you need for the job. Also, it will teach you buffer-overflows in great detail. It wouldn't hurt to review this multiple times. I did. Also, pay close attention to the enumeration section. This is the majority of what you will be doing for the rest of the certification. You will also need to be prepared to take copious amounts of notes in both the lab and exam environment regarding your path of exploitation and privilege escalation. This will help you greatly with the writeup!

In the lab environment, enumeration is the key! Many machines will be much easier if have all of the information available. Also, some machines have dependencies on other network machines. If there doesn't seem to be a point of entry and you have enumerated well, the data you need is probably on another machine. Move on and try again later.

I compromised almost all of the public network with a couple of machines in each of the other networks. I would recommend compromising most, if not all, of the public network before taking your exam. Also, the Admins in the IRC are a great resource for helping push you in the right direction on the lab machines.

Exam

The exam is really where the rubber meets the road. In preparation for the exam, I wrote up my entire lab writeup. This included the exercises, labs, executive summery, remediations, conclusion, and any other piece necessary. I created a template for each machine to fill in once I had completed the exam. I did this because the last thing I wanted to do is spend all of the next 24 hours writing a long report after I had exhausted myself cracking machines for most of the night. Using my template, I was able to reduce my lab writeup time to two hours to complete the exam writeup.

I was told that if your exam is on the threshold of passing, reporting on your Lab machines and exercises will greatly improve your likelihood of passing the OSCP. Begin working on your reporting early and be thorough. I don't want to get too specific about the exam but what I can say, is that if you have worked hard on the lab environment, it shouldn't be anything that well beyond your understanding.

After reflecting on my exam, I learned I should have taken care of my body better. Get as much sleep as you can the day before, and as much as you may want to work until the exam is completed, DON'T. Getting some sleep and looking at it fresh will help you not to spin your wheels. I spent too much time spinning my wheels in stubbornness.

Recap

1. Enumerate, Enumerate, Enumerate

2. Take detailed notes in exercises, labs, and the exam. It will make report writing exponentially faster.

Tuesday, September 22, 2015

Background
I created this machine to help others learn some basic CTF hacking strategies and some tools. I aimed this machine to be very similar in difficulty to those I was breaking on the OSCP. This is a walkthrough to guide those who get stuck to complete the challenge. This is a boot-to-root machine and will not require any guest interaction.

Note: There is one local privilege entry and there are two different root privilege escalations.

Exploitation
Upon booting up the machine I did an entire TCP scan of the host and only ssh is open.

Upon banner grabbing we see:

Knock Friend? 1,2,3? That seems like port knocking to me..

Another full nmap scan reveals a web server has opened!

Webapp

After an examination of the webapp with Nikto and Dirb there is nothing of interest. But I was able to find some things through manual testing and examination.

Index.html

But there is a comment on the 404 page...

The comment seems to be base64 so we decode that:

This URL takes us to a php login page that is vulnerable to SQL injection!

So we dump the data with sqlmap:

The root Mysql password was also weak:

We checked for password reuse on ssh:

We are in low privilege!

There are two privilege escalations and both are described.

Escalation A Buffer overflow:

We found a suid buffer overflow contained within /SECRET directory. There are three files but when you look at the size of all of them, one is smaller than the other two. This smaller one is the BufferOverflow.

We moved an exploit dev file into temp so we didn't have to deal with the switching and verified the crash.

Next, we download GDB Peda. This gdb extension is the absolute best for exploit dev!

Verified the crash on Peda using out exploit code. Notice we have overwritten EIP with 0x41414141. the Ascii characters "AAAA".

We also check for security precautions. But there are none.

HOWEVER, ASLR is on.

Using GDB Peda, we find our EIP offset.

Next, we verify control the EIP register. Notice the crash is on 0x42424242. Which is "BBBB"

We generate our shellcode using Peda and add our shellcode to the exploit.

Now that we know we have ASLR to circumvent, we need to modify our exploit code.

Due to ASLR randomizing address space and there are no good jmp esp instructions to use, we do not have a pre-defined location in memory to go to. This means we need to bruteforce the solution. I ran the program in gdb a handful of times to get a feeling of where the stack was landing on execution, due to it being different every time. I was noticing that it always started with BF and the last 6 bytes were different. So I chose CC because it was in the middle of my random sample of stack locations. The last 4 digits I used were arbitrary. Next we will make a GIANT NOP sled. I used 20480 but it could be potentially larger.

Lastly, I created code to find the smallest buffer overflow file size to run just in case the file tries to switch mid run and we put that code in a while loop to run it indefinitely. This is because if we get a seg fault, it will replay the request and if we land our shell code it will stop on the shell giving us shell access.

This was our final code:

Note: You will notice back-off in the os call. This is expected because os.system is a blocking call. You can try to make it non-blocking to improve the script. But I used os.system for a quick and dirty solution.

Success!

Escalation B MYSQL:

Since we have the MySQL Root password and Mysql is running as root, we can use UDF's to escalate.